The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Hybrid View

Security and open source CMS

I'm working with a large (very large) nonprofit that wants to migrate to a CMS from their very maintenance intensive present site. Last year, they spoke to an expert that suggested they stay away from Joomla and other open source CMS because of security concerns (hacking and the like).

I have a few questions:
1. Is that a valid concern? (My gut reaction is yes)
2. Would a paid solution be more secure or would a custom built solution be really the optimum solution?
3. If paid solution, what recommendations?

Thanks for your responses in advance, I look forward to hearing the opinions on this board.

IMHO, open-source apps are primarily only a security problem if they aren't updated as soon as a new release (i.e. with a security fix, not so much for feature enhancements only) becomes available. The problem is that once a sercurity hole is published, the script-kiddies try out the exploit on older applicatiions. So it's more a matter of staying one step ahead.

Private/custom apps can be just as insecure, or more so, but because the security flaws are not public knowledge, they have to be "tested" for someone to find them.

You should probably make web decisions with something else and reserve your gut for food-related decisions.

In my experience, closed-source solutions have more security problems than the best open-source ones. It only seems like they don't because the closed folks don't tell you about all the exploits, while the open source projects do.

Don't get me wrong; I don't mean to imply that open source cms's are perfect. I don't even think they're very good. But I don't think the closed-source (proprietary) ones are any better, and with open source ones, you can patch around known issues while waiting for an "official" fix, something you can't do with the other solutions.

But if you can see the source, can't you figure out exploits easier? Yes, and no. Because everyone trying to fix the source can *also* see those exploits. So the easy ones get found quicker and fixed faster in the open source model, because there are orders of magnitude more people fixing them than any single company, even Microsoft, has working on proprietary systems.

So the easy exploits get fixed in the good OS packages, making the exploits a little more difficult in the long run.

The security model you're thinking of when thinking closed systems are more secure is known in the trade as "security by obscurity," and any security professional will tell you it's the weakest level of security.

While it's true that open-source can be looked at by someone specifically looking for a hole to exploit, I think the majority of attacks come following the publication of a hole. That is, script-kiddies are too lazy and not smart enough to work at it. This is one reason why "proprietary" apps appear more secure. It's a lot of work to keep probing a site looking for a way in.

Much easier to find an "Exploit X found in app Y ver. Z" (sites publishing these can be found easily by searching), find sites running "app Y ver. Z" and attack it taking advantage of "exploit X".

Security is complex and has many levels, as Arlen stated

Originally Posted by Arlen

"security by obscurity," .... the weakest level of security.

while a site obviously made by a "newbie" might be more likely to have weaknesses and attract an attack, any app can have security weaknesses. Don't put yourself behind a false shield thinking that just because it's not open-source it must be more locked down.

If you really want to have your eye's opened, take a look at ha.ckers.org

Arlen and Mittineague, you both make good points. I guess I was applying the Microsoft/Apple theory that if it's more distributed, it's more open to hacking. However, as Arlen intimated, if the closed source is full of vulnerabilities, it's no better (and possibly worse) than an OS that has a strong community.

So between closed source, well supported and open source with a strong community, which would be a better choice in your opinion, for a non-profit, say, on the level of http://www.doctorswithoutborders.org/ (not my client, but similar in the type of site they need and size of organization).

Yes and no. As Mittineague stated it largely depends on keeping the software up to date with the latest fixes etc. At the end of the day how quick developers react to any security issues might be a factor.

Originally Posted by dmaui

2. Would a paid solution be more secure or would a custom built solution be really the optimum solution?

No necessarily, though it's in the interests of a commercial developer to keep their application secure, else a serious issue could impact on their income if left unplugged for any amount of time.

Originally Posted by dmaui

3. If paid solution, what recommendations?

There are plenty of paid solutions so it's difficult to recommend any particular one. However, as an example of a large high traffic site, Obamas election site was built using Moveable Type and Expression Engine. His new site http://change.gov/ is built with just Expression Engine.

I have a few questions:
1. Is that a valid concern? (My gut reaction is yes)

Security is always a valid concern! Some are quite on the ball. Others, not so much. Have a good read of the various vulnerabilities sites and see what's up there. You'll soon get a good feel for what's being quickly addressed.

2. Would a paid solution be more secure or would a custom built solution be really the optimum solution?

Not necessarily. If they were to go with something open source like Drupal I'd recommend they hire or contract an experienced developer to keep an eye on things for them.